What are those ignorable certificate errors after the SSL connection with StreamSocket to the remote server failed?

Question

Win8.1 has provided the ability to APPs to ignore some SSL certificate errors. Jeff Sanders has made
an example to do this via HttpClient with C#. But it is the same in C++ with StreamSocket.

When we make SSL connection to the remote server with StreamSocket, the connection might fail with SSL certificate errors. If the ServerCertificateErrorSeverity is ignorable, it means that there are certificate errors that could be ignored. Thus we could
add it into the vector StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Later we could re-connect to the remote server again with the same StreamSocket.

1. For any SSL certificate error, if it couldn't be ignored, then it will not be present in StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Is it? (I think it should be yes).

2. Are all those enumerations in ChainValidationResult are ignorable?

3. The last enumerations is "otherErrors". I personally think that all those errors that couldn't be ignored have been excluded from the enumerations thus the "otherErrors" is not in those error list that couldn't be ignored. But would
it be possible that the SSL connection would still fail after adding the "otherErrors" in the ignorable list?

4. Is there a list that contains all ignorable and un-ignorable SSL certificate errors?

Answers

1. For any SSL certificate error, if it couldn't be ignored, then it will not be present in StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Is it? (I think it should be yes).

[Prashant]: Yes that is correct. If you try to add/ append a ChainValidationResult::<value> where the value is not ignorable, then the Append (Add in C#) call will throw "The parameter is incorrect" exception.

2. Are all those enumerations in ChainValidationResult are ignorable?

[Prashant]: No, not all errors are ignorable.

3. The last enumerations is "otherErrors". I personally think that all those errors that couldn't be ignored have been excluded from the enumerations thus the "otherErrors" is not in those error list that couldn't be ignored. But would
it be possible that the SSL connection would still fail after adding the "otherErrors" in the ignorable list?

[Prashant]: You cannot add "OtherErrors" to the IgnorableServerCertificateErrors collection. Doing so throws an exception saying that "The parameter is incorrect". OtherErrors is really not a server certificate validation error and could
mean other type of errors such as access denied due to weird registry issues or some unrelated errors that don't map to Cryptography errors.

4. Is there a list that contains all ignorable and un-ignorable SSL certificate errors?

[Prashant]: There doesn't appear to be any external documentation stating what is ignorable v/s not ignorable (other than doing the Add/Append yourself and see which throws the exception :)...), but here's the complete list of what is ignorable v/s not-ignorable:

1. For any SSL certificate error, if it couldn't be ignored, then it will not be present in StreamSocket::StreamSocketControl::IgnorableServerCertificateErrors. Is it? (I think it should be yes).

[Prashant]: Yes that is correct. If you try to add/ append a ChainValidationResult::<value> where the value is not ignorable, then the Append (Add in C#) call will throw "The parameter is incorrect" exception.

2. Are all those enumerations in ChainValidationResult are ignorable?

[Prashant]: No, not all errors are ignorable.

3. The last enumerations is "otherErrors". I personally think that all those errors that couldn't be ignored have been excluded from the enumerations thus the "otherErrors" is not in those error list that couldn't be ignored. But would
it be possible that the SSL connection would still fail after adding the "otherErrors" in the ignorable list?

[Prashant]: You cannot add "OtherErrors" to the IgnorableServerCertificateErrors collection. Doing so throws an exception saying that "The parameter is incorrect". OtherErrors is really not a server certificate validation error and could
mean other type of errors such as access denied due to weird registry issues or some unrelated errors that don't map to Cryptography errors.

4. Is there a list that contains all ignorable and un-ignorable SSL certificate errors?

[Prashant]: There doesn't appear to be any external documentation stating what is ignorable v/s not ignorable (other than doing the Add/Append yourself and see which throws the exception :)...), but here's the complete list of what is ignorable v/s not-ignorable: